visual studio signing error: this certificate is not trusted on this PC

Question

I am trying to sign a UWP app, either debug or release, for the purpose of testing on some other devices. My certificate appears not to be valid.

Here are my steps:

• I right click on my UWP project, choose "publish", then "create app packages".
• In the popup, I choose "sideloading".
• Then I get a step asking whether I'd like to sign the package.
• I want to choose "yes". I have a certificate where the subject matches the publisher in my manifest. But, just below, it shows a message "this certificate is not trusted on this PC".

If I continue, VS will create a folder containing some installation files. If I click on "...x64.msixbundle", it shows a dialog that says "update ...?", with a note "untrusted app" and a message below "this app package is not signed with a trusted certificate..." (Alternatively, I can run the Install.ps1 script in the powershell, having the same results.) I cannot go further. And, this is on same PC that I'm doing my development.

I've attempted to follow the instructions on Create a certificate for package signing, and some of the adjacent pages. They infer that using the VS wizard should simply work.

P.S. I have never signed a Windows app before. Maybe I should be doing it in a completely different manner ?

Answer 1

The certificate where the subject matches the publisher needs to be trusted.

So what to do:

a) The certificate is self signed (The issuer is the same as the subject)

• Run certlm.msc (for machine wide trust) or certmgr.msc for current user trust.
• Import the certificate to the Trusted Root Certificate Authorities

b) The certificate is NOT self signed (The issuer is NOT the same as the subject)

You should not need to do anything if you bought a real code signing certificate as you pay for exactly the trust we are establishing...

• Get the root/issuer certificate
  • *have a .cer?
    • double click the cer file
    • click the Certificate Path tab.
    • double click the first certificate in the tree - if there is only one ask where you got the certificate from!
    • On the newly opened window click the Details tab
    • Click the Copy to file button to save the root certificate.
  • have a *.pfx import it
    • Run certmgr.msc
    • Right click on Personal and select Advanced Tasks | Import to import the pfx file.
    • Identify the imported certificate(s) and export the root certificate (see have a *.cer)
• Run certlm.msc (for machine wide trust) or certmgr.msc for current user trust.
• Import the root certificate to the Trusted Root Certificate Authorities

For package signing there are additional requirements on the certificate:

The certificate that you use to sign the app package must meet these criteria:

• The subject name of the certificate must match the Publisher attribute that is contained in the Identity element of the AppxManifest.xml file that is stored within the package. The publisher name is part of the identity of a packaged Windows app, so you have to make the subject name of the certificate match the publisher name of the app. This allows the identity of signed packages to be checked against the digital signature. For info about signing errors that can arise from signing an app package using SignTool, see the Remarks section of How to create an app package signing certificate.
• The certificate must be valid for code signing. This means that both of these items must be true:
  • The Extended Key Usage (EKU) field of the certificate must either be unset or contain the EKU value for code signing (1.3.6.1.5.5.7.3.3).
  • The Key Usage (KU) field of the certificate must either be unset or contain the usage bit for digital signature (0x80).
• The certificate contains a private key.
• The certificate is valid. It is active, hasn't expired, and hasn't been revoked.

Source: https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-sign-a-package-using-signtool